File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Beginning Java and the fly likes normalize string Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Java » Beginning Java
Bookmark "normalize string" Watch "normalize string" New topic
Author

normalize string

Doel Durieux
Greenhorn

Joined: Mar 14, 2012
Posts: 4
hi every one
I am new to Java and I am working with the Normalize class.
I am trying to normalize Unicode to check for XSS. If I pass the input string to a method and normalize that string inside the method it does not work. but If I define the string inside the method (hardcode) the value on the string variable) and pass it to the normalize function it will work.

Example 1


// This dont work it return the same string i entered.

Example 2


//This works. I converts the unicode to "<"

ANY thoughts...........
thank you in advance for the help

Doel
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18712
    
    8

Neither of those code fragments "work" because they won't even compile. How about if you show us a complete example? (See the page at SSCCE to see what that means.)
Doel Durieux
Greenhorn

Joined: Mar 14, 2012
Posts: 4
I am sorry for the code. this is my frst time.
here its what i am trying to do



The input I get back from the JSP page its "\uFE64" and this is the value that get passed to this method and after its normalize its still prints "uFE64" where in the previous piece of code it prints "<"
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18712
    
    8

I still don't understand.

It seems that you are claiming that passing a string as a parameter to a method works differently than using the same string as a local variable in that method, although you haven't really posted an example of that claim. But obviously that isn't the case. So your problem must be that the string you are passing as the parameter is not the same as the string you are hard-coding as the local variable.

At any rate an explanation of a problem normally tells the reader what was input, what was output, and what was expected to be output instead. You haven't really provided any of those things; it would help if you did.
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18712
    
    8

Doel Durieux wrote: The input I get back from the JSP page its "\uFE64" and this is the value that get passed to this method and after its normalize its still prints "uFE64" where in the previous piece of code it prints "<"


Aha, sorry, you must have been editing as I was typing my last reply. So disregard what I typed there, this is much better information.

When you use code like this:



that's called a "Unicode escape". When the Java compiler sees that literal in your source code, it interprets it as a single Unicode character. In this case it's the character U+FE64. Now that's the Java compiler doing that, remember.

When you type "\uFE64" somewhere else, in an HTML form which is sent to your web application for example, the Java compiler is not involved. So that string is treated as the 6 characters that you see there and it's not converted to a single Unicode character. That's the difference.
Doel Durieux
Greenhorn

Joined: Mar 14, 2012
Posts: 4
Thank ofr the replay I understand now.
So if some one its trying to input malicious code using Unicode instead of "<" ">" there its no need to normalize the input string before validating the string to make sure there its no malicious code???
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18712
    
    8

I have no idea. From the little bit of what I found by googling "xss unicode normalization" it seems that most of the concern seems to be about converting bytes to Unicode characters in a non-standard fashion. What you posted there is nothing to do with that at all, I don't think.

However don't take me to be an expert. I'm not. I know almost nothing about this. My only advantage over you is that I know the terminology better than you, which makes me believe you are doing something useless. That doesn't mean that there is nothing to be done, it only means that what you are doing probably isn't it. If cross-site scripting is a concern for you then you really ought to hire a security expert who knows how to deal with it. Don't imagine that you can spend a couple of days asking questions on a forum and become that expert.
Campbell Ritchie
Sheriff

Joined: Oct 13, 2005
Posts: 39478
    
  28
And welcome to the Ranch
Doel Durieux
Greenhorn

Joined: Mar 14, 2012
Posts: 4
Thank you Paul for all the information. I appreciate it a lot!!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: normalize string